Google Boosting SSL-Encrypted Sites in their search results

Last week, Google announced that sites that use the lock (SSL) for secure, encrypted content will start to outrank ones that don’t.

What does this mean for sites? And why is Google doing this? Read more below >>

Why Does Google Want All Sites to Use SSL?

According to an official blog post, Google is boosting SSL-encrypted sites in their search results.

But secure pages are slower. It’s because encrypting pages takes processor power – both on the server end and on the end user’s browser.

And speed matters. Google ranks pages that load more quickly much higher.

So why would Google encourage something that could make the end user experience slightly slower?

Google says that they want to make the Web a more secure experience

And while I do see the merits of encrypted web browsing, I think that’s not the entire reason that Google is doing this. I’ll tell you my pet theory, below.

But before I get carried away with my conspiracy theories and start wearing a tinfoil hat around the office, I have a couple of top-level comments about this:

Right now, this is a very “weak” signal for Google (less than 1%), and is less important than having a high-quality site with great content.

Over time, this will likely become “required” to maintain your rankings, even if your site doesn’t collect information or sell anything.

Enabling SSL for all pages of a website will take time and energy to get it right – especially if the site wasn’t built in a modular way.

First, A Quick Primer on How SSL Works:

When you visit a website in your browser (i.e. CNN.com), the site sends a chunk of HTML code to your computer. The HTML tells your computer browser to put an image here, display text over there, and add a few links throughout the site.

The information on a public Website (i.e. the homepage of CNN.com) isn’t sensitive information, so (until now) there’s been no reason to encrypt or scramble the HTML code when it’s sent to you via the public Internet.

It is possible for someone to “listen” in on these non-scrambled requests and figure out what site or pages within a site you’re visiting or reading. (Oh no… someone might know I checked the weather in Boulder, Colorado today.)

On a non-SSL page, if you log in with a username and password, someone can “grab” this information. This can happen on an unsecure public Wi-Fi network at a coffee shop, for example.

Most sites kick in encryption only when you enter in a username and password, or put in your credit card information.

On a Magento Commerce site, for example, the only time the eCommerce site uses the SSL encryption setting is when the user goes to the checkout page. (This is the default setting.)

Why not encrypt everything?

SSL takes time and processor power to scramble and unscramble the contents… and it’s just much faster to send non-scrambled content through the Web. Because until now, speed has been the most important thing for Google and other search engines.

How this works is that any code transmitted over the public Internet is first scrambled (encrypted) using Public Key / Private Key Encryption. It’s pretty crazy complicated, so I won’t get into the math here.

Facebook encrypts all of the content it serves to you, as do most banking sites. So you can rest easy, knowing someone at a coffee shop can’t read your bank balance, or snoop on your friend’s amazing video they took of their cat playing the piano.

What this means for a business:

In order to have a secure, https site, a Website owner needs to purchase an SSL certificate. This is often about $100 per year.

The other thing a business must do is make sure that all of your pages, images, CSS and internal links must use the https: format instead of the http: format.

If you do, end users will see the little lock that shows up when you go to a secure portion of a site, such as when you make a purchase online, or log into your bank account. If you look in your browser, it will say https: instead of http: at the beginning. ‘S’ meaning secure.

If the site is serving content from a non-SSL source, then an end user will likely see a security warning. Just one image from a non-secure directory can trigger a warning.

Our site, for example, is not set up for encryption on the home page (but it does load quickly). Here’s the warning you’ll get if you try to force the site to use SSL:

The Real Reason I Think Google is Doing This:

I think that the real reason is that Google is upset at the NSA for monitoring people’s Web browsing sessions, and they want to do everything they can to hinder and prevent the NSA from being able to track and monitor everyone easily. Forcing Websites to encrypt their traffic means it will take more and more processing power for the NSA to be able to monitor people.

Google was really upset when they found out that the NSA was tapping their data feeds between data centers. Google didn’t encrypt these feeds (because it was too slow). Google quickly changed to high-grade encryption.

Google knows that it can affect change in the marketplace.

The carrot that Google is offering is better search rankings for sites that adopt end-to-end encryption.

And for those site that don’t adopt end-to-end encryption will eventually get the boot in terms of search rankings.

It’s rare that Google comes out and says that they will reward a specific practice with better search rankings. But for SSL encryption, they did.

My recommendation:

I’m not recommending that all sites immediately change over to SSL tomorrow, or even next month. But start preparing.

For companies that are in competitive spaces, small improvements can make a huge difference in search rankings.

Certain sites may need a lot of work done to make SSL work properly.

Certain things like page caching don’t often work with SSL. Varnish, for example, works really well, but can’t handle SSL encryption without another technology, too.

Sites that still use embedded flash (and there are a LOT of sites that do) may need to be updated to prevent security warnings. Especially if images or links are to non-SSL content.

You might need better hosting to keep your page load times as fast as possible, too.

Let me know if you’d like us to test out your site to see if you have an SSL certificate in place, and see how easy it is to enable wall-to-wall SSL for your site.